arm64: zynqmp: Add support for encryption and decryption on data blob

This patch adds support for encryption and decryption on a given data
blob using different key sources such as userkey(KUP), device key and
PUF key. Inorder to support this a new zynqmp command(zynqmp aes) has
been introduced.

Command:
zynqmp aes srcaddr ivaddr len aesop keysrc dstaddr [keyaddr]\n"
	Encrypts or decrypts blob of data at src address and puts it\n"
	back to dstaddr using key and iv at keyaddr and ivaddr\n"
	respectively. keysrc values specifies from which source key\n"
	has to be used, it can be User/Device/PUF key. A value of 0\n"
	for KUP(user key),1 for DeviceKey and 2 for PUF key. The\n"
	aesop value would specify the operationwhich can be 0 for\n"
	decrypt and 1 for encrypt(1) operation\n";

Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>

2 files changed, 82 insertions, 1 deletions

diff --git a/arch/arm/mach-zynqmp/include/mach/sys_proto.h b/arch/arm/mach-zynqmp/include/mach/sys_proto.h
index f2b3ceab13..df944bde09 100644
--- a/arch/arm/mach-zynqmp/include/mach/sys_proto.h
+++ b/arch/arm/mach-zynqmp/include/mach/sys_proto.h
@@ -9,6 +9,7 @@
 
 #define ZYNQMP_CSU_SILICON_VER_MASK	0xF
 #define KEY_PTR_LEN	32
+#define IV_SIZE		12
 
 #define ZYNQMP_FPGA_BIT_AUTH_DDR	1
 #define ZYNQMP_FPGA_BIT_AUTH_OCM	2
diff --git a/board/xilinx/zynqmp/cmds.c b/board/xilinx/zynqmp/cmds.c
index c0d28a73e4..b816af7379 100644
--- a/board/xilinx/zynqmp/cmds.c
+++ b/board/xilinx/zynqmp/cmds.c
@@ -9,11 +9,22 @@
 #include <cpu_func.h>
 #include <env.h>
 #include <malloc.h>
+#include <memalign.h>
 #include <zynqmp_firmware.h>
 #include <asm/arch/hardware.h>
 #include <asm/arch/sys_proto.h>
 #include <asm/io.h>
 
+struct aes {
+	u64 srcaddr;
+	u64 ivaddr;
+	u64 keyaddr;
+	u64 dstaddr;
+	u64 len;
+	u64 op;
+	u64 keysrc;
+};
+
 static int do_zynqmp_verify_secure(struct cmd_tbl *cmdtp, int flag, int argc,
 				   char *const argv[])
 {
@@ -107,6 +118,66 @@ static int do_zynqmp_mmio_write(struct cmd_tbl *cmdtp, int flag, int argc,
 	return ret;
 }
 
+static int do_zynqmp_aes(struct cmd_tbl *cmdtp, int flag, int argc,
+			 char * const argv[])
+{
+	ALLOC_CACHE_ALIGN_BUFFER(struct aes, aes, 1);
+	int ret;
+	u32 ret_payload[PAYLOAD_ARG_CNT];
+
+	if (zynqmp_firmware_version() <= PMUFW_V1_0) {
+		puts("ERR: PMUFW v1.0 or less is detected\n");
+		puts("ERR: Encrypt/Decrypt feature is not supported\n");
+		puts("ERR: Please upgrade PMUFW\n");
+		return CMD_RET_FAILURE;
+	}
+
+	if (argc < cmdtp->maxargs - 1)
+		return CMD_RET_USAGE;
+
+	aes->srcaddr = simple_strtoul(argv[2], NULL, 16);
+	aes->ivaddr = simple_strtoul(argv[3], NULL, 16);
+	aes->len = simple_strtoul(argv[4], NULL, 16);
+	aes->op = simple_strtoul(argv[5], NULL, 16);
+	aes->keysrc = simple_strtoul(argv[6], NULL, 16);
+	aes->dstaddr = simple_strtoul(argv[7], NULL, 16);
+
+	flush_dcache_range((ulong)aes, (ulong)(aes) +
+			   roundup(sizeof(struct aes), ARCH_DMA_MINALIGN));
+
+	if (aes->srcaddr && aes->ivaddr && aes->dstaddr) {
+		flush_dcache_range(aes->srcaddr,
+				   (aes->srcaddr +
+				    roundup(aes->len, ARCH_DMA_MINALIGN)));
+		flush_dcache_range(aes->ivaddr,
+				   (aes->ivaddr +
+				    roundup(IV_SIZE, ARCH_DMA_MINALIGN)));
+		flush_dcache_range(aes->dstaddr,
+				   (aes->dstaddr +
+				    roundup(aes->len, ARCH_DMA_MINALIGN)));
+	}
+
+	if (aes->keysrc == 0) {
+		if (argc < cmdtp->maxargs)
+			return CMD_RET_USAGE;
+
+		aes->keyaddr = simple_strtoul(argv[8], NULL, 16);
+		if (aes->keyaddr)
+			flush_dcache_range(aes->keyaddr,
+					   (aes->keyaddr +
+					    roundup(KEY_PTR_LEN,
+						    ARCH_DMA_MINALIGN)));
+	}
+
+	ret = xilinx_pm_request(PM_SECURE_AES, upper_32_bits((ulong)aes),
+				lower_32_bits((ulong)aes), 0, 0, ret_payload);
+	if (ret || ret_payload[1])
+		printf("Failed: AES op status:0x%x, errcode:0x%x\n",
+		       ret, ret_payload[1]);
+
+	return ret;
+}
+
 #ifdef CONFIG_DEFINE_TCM_OCM_MMAP
 static int do_zynqmp_tcm_init(struct cmd_tbl *cmdtp, int flag, int argc,
 			      char *const argv[])
@@ -153,6 +224,7 @@ static struct cmd_tbl cmd_zynqmp_sub[] = {
 	U_BOOT_CMD_MKENT(pmufw, 4, 0, do_zynqmp_pmufw, "", ""),
 	U_BOOT_CMD_MKENT(mmio_read, 3, 0, do_zynqmp_mmio_read, "", ""),
 	U_BOOT_CMD_MKENT(mmio_write, 5, 0, do_zynqmp_mmio_write, "", ""),
+	U_BOOT_CMD_MKENT(aes, 9, 0, do_zynqmp_aes, "", ""),
 #ifdef CONFIG_DEFINE_TCM_OCM_MMAP
 	U_BOOT_CMD_MKENT(tcminit, 3, 0, do_zynqmp_tcm_init, "", ""),
 #endif
@@ -196,6 +268,14 @@ static char zynqmp_help_text[] =
 	"zynqmp mmio_read address - read from address\n"
 	"zynqmp mmio_write address mask value - write value after masking to\n"
 	"					address\n"
+	"zynqmp aes srcaddr ivaddr len aesop keysrc dstaddr [keyaddr] -\n"
+	"	Encrypts or decrypts blob of data at src address and puts it\n"
+	"	back to dstaddr using key and iv at keyaddr and ivaddr\n"
+	"	respectively. keysrc value specifies from which source key\n"
+	"	has to be used, it can be User/Device/PUF key. A value of 0\n"
+	"	for KUP(user key),1 for DeviceKey and 2 for PUF key. The\n"
+	"	aesop value specifies the operation which can be 0 for\n"
+	"	decrypt and 1 for encrypt operation\n"
 #ifdef CONFIG_DEFINE_TCM_OCM_MMAP
 	"zynqmp tcminit mode - Initialize the TCM with zeros. TCM needs to be\n"
 	"		       initialized before accessing to avoid ECC\n"
@@ -208,7 +288,7 @@ static char zynqmp_help_text[] =
 #endif
 
 U_BOOT_CMD(
-	zynqmp, 5, 1, do_zynqmp,
+	zynqmp, 9, 1, do_zynqmp,
 	"ZynqMP sub-system",
 	zynqmp_help_text
 )